Exam SY0-701 topic 1 question 198 discussion

Ty13 2 weeks, 2 days ago Selected Answer: B B. Internal Audit I know people want to select D because... it sounds right. External audit to compare against external regulations. But there's a part being overlooked: 'would like to gain an understanding'. Which you don't NEED a third party to confirm, because the company already KNOWS those regulations. But you WOULD need an external audit if there was a large breach and the regulatory agencies wanted to know how it happened. What is being asked, effectively, is "Can an internal audit team verify that we meet external regulations?"

Answer: D. External examination Explanation: An external examination is the best approach for the CISO to gain an understanding of how the company's security policies compare to the requirements imposed by external regulators. This process typically involves an external party, such as a third-party auditor or regulatory body, reviewing the company's security policies and controls to ensure they align with industry regulations and standards. While internal audits (B) assess the company's internal controls and practices, external examinations provide an unbiased review from an external perspective, which is essential for understanding compliance with external regulatory requirements.

In my opinion, it's Internal audit. It's more likely to be a sequential things (Based on an ISO-9001 external audit I experienced before). A company usually do an internal audit before proceeding to an external audit, because external audit must have a authorized third-party auditors and can be quite costly to be certified that your company is qualified by the auditors. In most cases, the auditors may conclude some corrective actions(like CAR) that need your company to finish. After the correction report is submitted and validated by the auditors, your company can receive the approved certification.

The correct answer is: C. Attestation. Explanation: Attestation: This involves an independent third party verifying that the company's security policies, processes, or systems meet the requirements imposed by external regulations. Attestations are often used to demonstrate compliance with regulatory frameworks and standards such as SOC 2, ISO 27001, or GDPR.

An internal audit is a comprehensive evaluation of a company's operations, processes, and policies to ensure they are compliant with internal standards as well as external regulations. In the context of comparing the company's security policies to external regulatory requirements, an internal audit would be the most appropriate tool. It involves reviewing and assessing the security measures and procedures in place and determining how well they align with legal and regulatory requirements, ensuring that the company meets compliance standards. Why not D. External examination: An external examination is typically performed by third-party auditors or regulators to assess compliance with external standards and regulations. While it can provide valuable insights into regulatory adherence, it is not the best tool for an internal review by the CISO. An internal audit allows the CISO to assess the company's own security policies and their alignment with external regulations before seeking an external review.

D. External examination An external examination by a qualified third-party auditor can provide an objective assessment of the company's security practices against industry standards and regulatory requirements. This can help the CISO identify any gaps or weaknesses in the company's security posture and take corrective action. The other options are not as suitable:

vendor's self-assessment of practices against industry or organizational requirement

Between the two options, D. External examination is the most suitable for understanding how the company’s security policies compare to external regulatory requirements. An external examination involves an independent review by an external party, providing an objective assessment of the company’s compliance with regulatory standards. This ensures that the evaluation is unbiased and thorough, which is crucial for regulatory compliance.

The CISO should use: B. Internal audit An internal audit is a structured assessment of the company's security policies, processes, and controls to ensure they meet both internal standards and external regulatory requirements. This will help the CISO understand how well the company's security policies align with the requirements imposed by regulators.

B. Internal Audit I know people want to select D because... it sounds right. External audit to compare against external regulations. But there's a part being overlooked: 'would like to gain an understanding'. Which you don't NEED a third party to confirm, because the company already KNOWS those regulations. But you WOULD need an external audit if there was a large breach and the regulatory agencies wanted to know how it happened. What is being asked, effectively, is "Can an internal audit team verify that we meet external regulations?"

An external examination (also known as an external audit or external review)

even GPT Said

D external examination is best here

It is D period. And for the exam, make the association "External with External" DONE

External examination: An external examination, conducted by an independent third party, can provide an objective assessment of the company's security policies and practices against external regulatory requirements. This can help the CISO identify any gaps or areas for improvement. Penetration test: While penetration tests can identify vulnerabilities in the company's security infrastructure, they don't directly assess compliance with external regulations. Internal audit: Internal audits can assess the company's adherence to internal policies and procedures, but they might not provide a comprehensive view of compliance with external regulations. Attestation: Attestation is a formal process of providing assurance about a specific claim or assertion. While it might involve compliance with regulations, it doesn't necessarily provide a full assessment of the company's security policies and practices.

B. Internal audit An internal audit allows the CISO to assess how the company's security policies align with the requirements imposed by external regulators. This process involves reviewing and evaluating the company's policies, procedures, and controls to ensure compliance with regulatory standards.

D. External Examination An external examination involves a review or assessment conducted by an independent third party, often to evaluate how an organization's policies, procedures, and practices align with regulatory requirements or industry standards. This process is crucial for identifying gaps between the company’s internal security policies and the requirements imposed by external regulators. It provides the CISO with an unbiased understanding of the organization’s compliance status.